libmongocrypt-helper 1.8.0.0.1001 → 1.11.0.0.1001
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/ext/libmongocrypt/libmongocrypt/CHANGELOG.md +33 -0
- data/ext/libmongocrypt/libmongocrypt/CMakeLists.txt +12 -1
- data/ext/libmongocrypt/libmongocrypt/CODEOWNERS +1 -4
- data/ext/libmongocrypt/libmongocrypt/Earthfile +151 -3
- data/ext/libmongocrypt/libmongocrypt/README.md +36 -40
- data/ext/libmongocrypt/libmongocrypt/bindings/cs/CMakeLists.txt +1 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/cs/MongoDB.Driver.snk +0 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/cs/MongoDB.Libmongocrypt/AssemblyInfo.cs +2 -2
- data/ext/libmongocrypt/libmongocrypt/bindings/cs/MongoDB.Libmongocrypt/Binary.cs +16 -2
- data/ext/libmongocrypt/libmongocrypt/bindings/cs/MongoDB.Libmongocrypt/CryptClientFactory.cs +8 -4
- data/ext/libmongocrypt/libmongocrypt/bindings/cs/MongoDB.Libmongocrypt/Library.cs +10 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/cs/MongoDB.Libmongocrypt/LibraryLoader.cs +81 -44
- data/ext/libmongocrypt/libmongocrypt/bindings/cs/MongoDB.Libmongocrypt/MongoDB.Libmongocrypt.csproj +2 -1
- data/ext/libmongocrypt/libmongocrypt/bindings/cs/MongoDB.Libmongocrypt.Test/MongoDB.Libmongocrypt.Test.csproj +2 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/cs/MongoDB.Libmongocrypt.Test32/MongoDB.Libmongocrypt.Test32.csproj +2 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/cs/README.md +3 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/cs/Scripts/build.cake +21 -26
- data/ext/libmongocrypt/libmongocrypt/bindings/cs/Scripts/build.config +3 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/cs/Scripts/build.sh +0 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/java/mongocrypt/benchmarks/build.gradle.kts +28 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/java/mongocrypt/benchmarks/src/main/java/com/mongodb/crypt/benchmark/BenchmarkRunner.java +217 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/java/mongocrypt/benchmarks/src/main/resources/keyDocument.json +24 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/java/mongocrypt/build.gradle.kts +21 -6
- data/ext/libmongocrypt/libmongocrypt/bindings/java/mongocrypt/gradle/wrapper/gradle-wrapper.jar +0 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/java/mongocrypt/gradle/wrapper/gradle-wrapper.properties +1 -1
- data/ext/libmongocrypt/libmongocrypt/bindings/java/mongocrypt/gradlew +154 -108
- data/ext/libmongocrypt/libmongocrypt/bindings/java/mongocrypt/gradlew.bat +7 -18
- data/ext/libmongocrypt/libmongocrypt/bindings/java/mongocrypt/settings.gradle.kts +1 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/java/mongocrypt/src/main/java/com/mongodb/crypt/capi/CAPI.java +41 -6
- data/ext/libmongocrypt/libmongocrypt/bindings/java/mongocrypt/src/main/java/com/mongodb/crypt/capi/CAPIHelper.java +5 -5
- data/ext/libmongocrypt/libmongocrypt/bindings/java/mongocrypt/src/main/java/com/mongodb/crypt/capi/CipherCallback.java +27 -1
- data/ext/libmongocrypt/libmongocrypt/bindings/java/mongocrypt/src/main/java/com/mongodb/crypt/capi/MongoCryptImpl.java +34 -19
- data/ext/libmongocrypt/libmongocrypt/bindings/java/mongocrypt/src/main/java/com/mongodb/crypt/capi/MongoExplicitEncryptOptions.java +6 -4
- data/ext/libmongocrypt/libmongocrypt/bindings/java/mongocrypt/src/main/resources/META-INF/native-image/jni-config.json +180 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/java/mongocrypt/src/main/resources/META-INF/native-image/reflect-config.json +134 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/java/mongocrypt/src/test/java/com/mongodb/crypt/capi/MongoCryptTest.java +44 -2
- data/ext/libmongocrypt/libmongocrypt/bindings/java/mongocrypt/src/test/resources/fle2-find-range-explicit-v2/int32/encrypted-payload.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/bindings/java/mongocrypt/src/test/resources/fle2-find-range-explicit-v2/int32/rangeopts.json +3 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/node/README.md +4 -900
- data/ext/libmongocrypt/libmongocrypt/bindings/python/CHANGELOG.rst +60 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/python/README.rst +41 -20
- data/ext/libmongocrypt/libmongocrypt/bindings/python/RELEASE.rst +6 -24
- data/ext/libmongocrypt/libmongocrypt/bindings/python/build-manylinux-wheel.sh +4 -13
- data/ext/libmongocrypt/libmongocrypt/bindings/python/hatch_build.py +36 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/python/libmongocrypt-version.txt +1 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/__init__.py +2 -2
- data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/asynchronous/auto_encrypter.py +61 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/asynchronous/credentials.py +156 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/asynchronous/explicit_encrypter.py +156 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/asynchronous/state_machine.py +149 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/auto_encrypter.py +2 -46
- data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/binary.py +14 -17
- data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/binding.py +107 -61
- data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/compat.py +6 -4
- data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/credentials.py +2 -121
- data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/crypto.py +31 -20
- data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/errors.py +2 -2
- data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/explicit_encrypter.py +2 -233
- data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/mongocrypt.py +168 -238
- data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/options.py +265 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/state_machine.py +2 -141
- data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/synchronous/auto_encrypter.py +61 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/synchronous/credentials.py +156 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/synchronous/explicit_encrypter.py +156 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/synchronous/state_machine.py +149 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/version.py +2 -2
- data/ext/libmongocrypt/libmongocrypt/bindings/python/pyproject.toml +118 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/python/release.sh +97 -61
- data/ext/libmongocrypt/libmongocrypt/bindings/python/{test-requirements.txt → requirements-test.txt} +4 -1
- data/ext/libmongocrypt/libmongocrypt/bindings/python/requirements.txt +4 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/python/sbom.json +76 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/python/strip_header.py +6 -7
- data/ext/libmongocrypt/libmongocrypt/bindings/python/synchro.py +64 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/python/test/__init__.py +1 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/python/test/data/collection-info.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/bindings/python/test/data/command.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/bindings/python/test/data/compact/success/encrypted-payload.json +21 -21
- data/ext/libmongocrypt/libmongocrypt/bindings/python/test/data/encrypted-command-reply.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/bindings/python/test/data/encrypted-field-config-map.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/bindings/python/test/data/fle2-find-range-explicit-v2/int32/encrypted-payload.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/bindings/python/test/data/fle2-find-range-explicit-v2/int32/rangeopts.json +3 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/python/test/data/fle2-find-rangePreview-explicit/int32/rangeopts.json +11 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/python/test/data/fle2-find-rangePreview-explicit/int32/value-to-encrypt.json +20 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/python/test/data/key-document-azure.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/bindings/python/test/data/key-document-gcp.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/bindings/python/test/data/key-document.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/bindings/python/test/data/key-filter.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/bindings/python/test/data/list-collections-filter.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/bindings/python/test/data/mongocryptd-command.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/bindings/python/test/data/mongocryptd-reply.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/bindings/python/test/data/schema-map.json +1 -1
- data/ext/libmongocrypt/libmongocrypt/bindings/python/test/performance/keyDocument.json +24 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/python/test/performance/perf_test.py +165 -0
- data/ext/libmongocrypt/libmongocrypt/bindings/python/test/test_binding.py +8 -12
- data/ext/libmongocrypt/libmongocrypt/bindings/python/test/test_crypto.py +9 -11
- data/ext/libmongocrypt/libmongocrypt/bindings/python/test/test_mongocrypt.py +988 -340
- data/ext/libmongocrypt/libmongocrypt/bindings/python/update-sbom.sh +14 -0
- data/ext/libmongocrypt/libmongocrypt/cmake/FetchMongoC.cmake +19 -1
- data/ext/libmongocrypt/libmongocrypt/cmake/ImportBSON.cmake +23 -0
- data/ext/libmongocrypt/libmongocrypt/cmake/IntelDFP.cmake +19 -227
- data/ext/libmongocrypt/libmongocrypt/cmake/Patch.cmake +54 -0
- data/ext/libmongocrypt/libmongocrypt/doc/img/cli-icon.png +0 -0
- data/ext/libmongocrypt/libmongocrypt/doc/img/reference-targets.png +0 -0
- data/ext/libmongocrypt/libmongocrypt/doc/releasing.md +153 -0
- data/ext/libmongocrypt/libmongocrypt/etc/calc_release_version.py +61 -28
- data/ext/libmongocrypt/libmongocrypt/etc/calc_release_version_selftest.sh +73 -0
- data/ext/libmongocrypt/libmongocrypt/etc/cyclonedx.sbom.json +108 -0
- data/ext/libmongocrypt/libmongocrypt/etc/format.sh +1 -1
- data/ext/libmongocrypt/libmongocrypt/etc/libbson-remove-GCC-diagnostic-pragma.patch +27 -0
- data/ext/libmongocrypt/libmongocrypt/etc/mongo-inteldfp-alpine-arm-fix.patch +17 -0
- data/ext/libmongocrypt/libmongocrypt/etc/packager.py +120 -91
- data/ext/libmongocrypt/libmongocrypt/etc/purls.txt +14 -0
- data/ext/libmongocrypt/libmongocrypt/etc/repo_config.yaml +56 -0
- data/ext/libmongocrypt/libmongocrypt/etc/silk-create-asset-group.sh +70 -0
- data/ext/libmongocrypt/libmongocrypt/etc/ssdlc_compliance_report.md +37 -0
- data/ext/libmongocrypt/libmongocrypt/etc/third_party_vulnerabilities.md +42 -0
- data/ext/libmongocrypt/libmongocrypt/integrating.md +18 -1
- data/ext/libmongocrypt/libmongocrypt/kms-message/CMakeLists.txt +11 -3
- data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_gcp_request.c +1 -1
- data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_kmip_reader_writer.c +17 -0
- data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_kmip_reader_writer_private.h +6 -0
- data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_kmip_request.c +211 -1
- data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_kmip_response.c +163 -0
- data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_kmip_tag_type_private.h +2 -1
- data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_message/kms_kmip_request.h +17 -0
- data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_message/kms_kmip_response.h +6 -0
- data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_port.c +3 -2
- data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_request.c +4 -2
- data/ext/libmongocrypt/libmongocrypt/kms-message/src/kms_request_str.c +2 -2
- data/ext/libmongocrypt/libmongocrypt/kms-message/test/test_kmip_reader_writer.c +23 -2
- data/ext/libmongocrypt/libmongocrypt/src/crypto/libcrypto.c +13 -10
- data/ext/libmongocrypt/libmongocrypt/src/mc-dec128.h +1 -1
- data/ext/libmongocrypt/libmongocrypt/src/mc-efc-private.h +16 -2
- data/ext/libmongocrypt/libmongocrypt/src/mc-efc.c +94 -6
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-encryption-placeholder-private.h +15 -5
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-encryption-placeholder.c +114 -53
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-find-equality-payload-private-v2.h +1 -1
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-find-equality-payload-private.h +1 -1
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-find-equality-payload-v2.c +2 -2
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-find-equality-payload.c +2 -2
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-find-range-payload-private-v2.h +21 -6
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-find-range-payload-private.h +5 -5
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-find-range-payload-v2.c +38 -2
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-find-range-payload.c +1 -1
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-insert-update-payload-private-v2.h +20 -7
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-insert-update-payload-private.h +8 -8
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-insert-update-payload-v2.c +89 -1
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-payload-iev-v2.c +3 -3
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-payload-iev.c +1 -23
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-rfds-private.h +4 -3
- data/ext/libmongocrypt/libmongocrypt/src/mc-fle2-rfds.c +15 -12
- data/ext/libmongocrypt/libmongocrypt/src/mc-optional-private.h +11 -0
- data/ext/libmongocrypt/libmongocrypt/src/mc-range-edge-generation-private.h +16 -6
- data/ext/libmongocrypt/libmongocrypt/src/mc-range-edge-generation.c +64 -22
- data/ext/libmongocrypt/libmongocrypt/src/mc-range-encoding-private.h +23 -4
- data/ext/libmongocrypt/libmongocrypt/src/mc-range-encoding.c +359 -65
- data/ext/libmongocrypt/libmongocrypt/src/mc-range-mincover-generator.template.h +26 -14
- data/ext/libmongocrypt/libmongocrypt/src/mc-range-mincover-private.h +17 -6
- data/ext/libmongocrypt/libmongocrypt/src/mc-range-mincover.c +31 -13
- data/ext/libmongocrypt/libmongocrypt/src/mc-rangeopts-private.h +16 -3
- data/ext/libmongocrypt/libmongocrypt/src/mc-rangeopts.c +259 -63
- data/ext/libmongocrypt/libmongocrypt/src/mc-tokens-private.h +40 -24
- data/ext/libmongocrypt/libmongocrypt/src/mc-tokens.c +57 -13
- data/ext/libmongocrypt/libmongocrypt/src/mlib/int128.h +17 -0
- data/ext/libmongocrypt/libmongocrypt/src/mlib/int128.test.cpp +5 -0
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-binary-private.h +0 -5
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-buffer.c +5 -7
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-cache-key.c +1 -0
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-cache-oauth-private.h +16 -18
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-cache-oauth.c +105 -76
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-crypto.c +9 -3
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-ctx-datakey.c +170 -89
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-ctx-decrypt.c +5 -5
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-ctx-encrypt.c +505 -124
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-ctx-private.h +31 -6
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-ctx.c +81 -13
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-dll-private.h +7 -0
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-kek-private.h +5 -1
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-kek.c +161 -103
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-key-broker-private.h +2 -7
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-key-broker.c +191 -69
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-key.c +1 -1
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-kms-ctx-private.h +50 -15
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-kms-ctx.c +365 -69
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-marking-private.h +2 -1
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-marking.c +200 -107
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-opts-private.h +50 -5
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-opts.c +591 -15
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-private.h +6 -13
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-util.c +3 -2
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt.c +47 -234
- data/ext/libmongocrypt/libmongocrypt/src/mongocrypt.h +75 -24
- data/ext/libmongocrypt/libmongocrypt/src/os_posix/os_dll.c +18 -2
- data/ext/libmongocrypt/libmongocrypt/src/os_win/os_dll.c +4 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/bulkWrite/bypassQueryAnalysis/payload.json +53 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/bulkWrite/jsonSchema/cmd-to-mongocryptd.json +23 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/bulkWrite/jsonSchema/cmd.json +20 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/bulkWrite/simple/cmd-to-mongocryptd.json +50 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/bulkWrite/simple/cmd.json +20 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/bulkWrite/simple/collinfo.json +44 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/bulkWrite/simple/encrypted-field-map.json +24 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/bulkWrite/simple/encrypted-payload-pattern.json +53 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/bulkWrite/simple/mongocryptd-reply.json +62 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/bulkWrite/unencrypted/cmd-to-mongocryptd.json +30 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/bulkWrite/unencrypted/cmd.json +17 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/bulkWrite/unencrypted/mongocryptd-reply.json +39 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/bulkWrite/unencrypted/payload.json +21 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/cleanup/missing-key-id/collinfo.json +20 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/cleanup/no-fields/collinfo.json +9 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/cleanup/no-fields/encrypted-payload.json +4 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/cleanup/success/cmd.json +1 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/cleanup/success/collinfo.json +63 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/cleanup/success/encrypted-field-config-map.json +61 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/cleanup/success/encrypted-payload-range-v2.json +37 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/cleanup/success/encrypted-payload.json +29 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/compact/anchor-pad/cmd.json +1 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/compact/anchor-pad/collinfo.json +64 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/compact/anchor-pad/encrypted-payload-range-v2.json +105 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/compact/anchor-pad/encrypted-payload.json +30 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/compact/no-range/cmd.json +1 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/compact/no-range/collinfo.json +49 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/compact/no-range/encrypted-field-config-map.json +47 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/compact/no-range/encrypted-payload.json +23 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/compact/success/collinfo.json +15 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/compact/success/encrypted-field-config-map.json +10 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/compact/success/encrypted-payload-range-v2.json +104 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/compact/success/encrypted-payload.json +6 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-explain/with-csfle/collinfo.json +4 -4
- data/ext/libmongocrypt/libmongocrypt/test/data/fle2-explain/with-csfle/encrypted-payload.json +3 -3
- data/ext/libmongocrypt/libmongocrypt/test/data/kms-azure/decrypt-response.txt +16 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/kms-azure/encrypt-response.txt +16 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/kms-azure/oauth-response.txt +19 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/no-trimFactor/find/cmd.json +9 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/no-trimFactor/find/encrypted-field-map.json +19 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/no-trimFactor/find/encrypted-payload.json +62 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/no-trimFactor/find/mongocryptd-reply.json +69 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/no-trimFactor/insert/cmd.json +11 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/no-trimFactor/insert/encrypted-field-map.json +19 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/no-trimFactor/insert/encrypted-payload.json +40 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/no-trimFactor/insert/mongocryptd-reply.json +47 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/range-edge-generation/edges_decimal128.cstruct +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/range-edge-generation/edges_double.cstruct +8637 -7958
- data/ext/libmongocrypt/libmongocrypt/test/data/range-edge-generation/edges_int32.cstruct +5522 -1382
- data/ext/libmongocrypt/libmongocrypt/test/data/range-edge-generation/edges_int64.cstruct +5042 -1262
- data/ext/libmongocrypt/libmongocrypt/test/data/range-min-cover/mincover_decimal128.cstruct +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/range-min-cover/mincover_decimal128_precision.cstruct +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/range-min-cover/mincover_double.cstruct +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/range-min-cover/mincover_double_precision.cstruct +2 -2
- data/ext/libmongocrypt/libmongocrypt/test/data/range-min-cover/mincover_int32.cstruct +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/range-min-cover/mincover_int64.cstruct +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/data/range-sends-cryptoParams/auto-find-int32/cmd.json +8 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/range-sends-cryptoParams/auto-find-int32/encrypted-field-map.json +19 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/range-sends-cryptoParams/auto-find-int32/encrypted-payload.json +53 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/range-sends-cryptoParams/auto-find-int32/mongocryptd-reply.json +58 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/range-sends-cryptoParams/auto-insert-int32/cmd.json +11 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/range-sends-cryptoParams/auto-insert-int32/encrypted-field-map.json +19 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/range-sends-cryptoParams/auto-insert-int32/encrypted-payload.json +40 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/range-sends-cryptoParams/auto-insert-int32/mongocryptd-reply.json +45 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/range-sends-cryptoParams/explicit-find-int32/expected.json +26 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/range-sends-cryptoParams/explicit-find-int32/to-encrypt.json +20 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/range-sends-cryptoParams/explicit-find-int32-defaults/expected.json +26 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/range-sends-cryptoParams/explicit-find-int32-defaults/to-encrypt.json +20 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/range-sends-cryptoParams/explicit-insert-double/expected.json +8 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/range-sends-cryptoParams/explicit-insert-int32/expected.json +8 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/range-sends-cryptoParams/explicit-insert-int32-defaults/expected.json +8 -0
- data/ext/libmongocrypt/libmongocrypt/test/data/tokens/README.md +7 -4
- data/ext/libmongocrypt/libmongocrypt/test/data/tokens/mc.json +9 -5
- data/ext/libmongocrypt/libmongocrypt/test/data/tokens/server.json +9 -5
- data/ext/libmongocrypt/libmongocrypt/test/example-state-machine.c +1 -0
- data/ext/libmongocrypt/libmongocrypt/test/test-gcp-auth.c +8 -8
- data/ext/libmongocrypt/libmongocrypt/test/test-mc-efc.c +6 -4
- data/ext/libmongocrypt/libmongocrypt/test/test-mc-fle2-find-range-payload-v2.c +43 -3
- data/ext/libmongocrypt/libmongocrypt/test/test-mc-fle2-payload-iup-v2.c +76 -0
- data/ext/libmongocrypt/libmongocrypt/test/test-mc-fle2-rfds.c +5 -5
- data/ext/libmongocrypt/libmongocrypt/test/test-mc-range-edge-generation.c +89 -14
- data/ext/libmongocrypt/libmongocrypt/test/test-mc-range-encoding.c +342 -76
- data/ext/libmongocrypt/libmongocrypt/test/test-mc-range-mincover.c +94 -12
- data/ext/libmongocrypt/libmongocrypt/test/test-mc-rangeopts.c +205 -7
- data/ext/libmongocrypt/libmongocrypt/test/test-mc-tokens.c +49 -23
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-assert-match-bson.c +16 -19
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-assert-match-bson.h +22 -1
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-cache-oauth.c +94 -11
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-cleanup.c +374 -0
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-compact.c +121 -42
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-crypto-hooks.c +134 -4
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-crypto-std-hooks.c +40 -0
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-crypto-std-hooks.h +16 -0
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-csfle-lib.c +11 -11
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-ctx-decrypt.c +8 -5
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-ctx-encrypt.c +922 -92
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-ctx-rewrap-many-datakey.c +2 -2
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-ctx-setopt.c +114 -12
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-datakey.c +14 -9
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-kms-ctx.c +424 -3
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-log.c +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-marking.c +447 -28
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-opts.c +42 -0
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-traverse-util.c +30 -26
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-util.c +7 -0
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt-util.h +3 -0
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt.c +66 -14
- data/ext/libmongocrypt/libmongocrypt/test/test-mongocrypt.h +11 -0
- data/ext/libmongocrypt/libmongocrypt/test/test-named-kms-providers.c +2381 -0
- data/ext/libmongocrypt/libmongocrypt/test/util/HELP.autogen +3 -1
- data/ext/libmongocrypt/libmongocrypt/test/util/README.md +1 -0
- data/ext/libmongocrypt/libmongocrypt/test/util/csfle.c +4 -0
- data/ext/libmongocrypt/libmongocrypt/test/util/make_includes.py +1 -1
- data/ext/libmongocrypt/libmongocrypt/test/util/util.c +38 -3
- data/lib/libmongocrypt_helper/version.rb +2 -2
- metadata +112 -106
- checksums.yaml.gz.sig +0 -0
- data/ext/libmongocrypt/libmongocrypt/VERSION_CURRENT +0 -1
- data/ext/libmongocrypt/libmongocrypt/bindings/cs/cs.sln +0 -79
- data/ext/libmongocrypt/libmongocrypt/bindings/node/CHANGELOG.md +0 -105
- data/ext/libmongocrypt/libmongocrypt/bindings/node/LICENSE +0 -201
- data/ext/libmongocrypt/libmongocrypt/bindings/node/binding.gyp +0 -79
- data/ext/libmongocrypt/libmongocrypt/bindings/node/etc/README.hbs +0 -44
- data/ext/libmongocrypt/libmongocrypt/bindings/node/etc/build-static.sh +0 -36
- data/ext/libmongocrypt/libmongocrypt/bindings/node/index.d.ts +0 -641
- data/ext/libmongocrypt/libmongocrypt/bindings/node/lib/autoEncrypter.js +0 -420
- data/ext/libmongocrypt/libmongocrypt/bindings/node/lib/buffer_pool.js +0 -123
- data/ext/libmongocrypt/libmongocrypt/bindings/node/lib/clientEncryption.js +0 -821
- data/ext/libmongocrypt/libmongocrypt/bindings/node/lib/common.js +0 -98
- data/ext/libmongocrypt/libmongocrypt/bindings/node/lib/cryptoCallbacks.js +0 -87
- data/ext/libmongocrypt/libmongocrypt/bindings/node/lib/errors.js +0 -75
- data/ext/libmongocrypt/libmongocrypt/bindings/node/lib/index.js +0 -73
- data/ext/libmongocrypt/libmongocrypt/bindings/node/lib/mongocryptdManager.js +0 -66
- data/ext/libmongocrypt/libmongocrypt/bindings/node/lib/providers/aws.js +0 -26
- data/ext/libmongocrypt/libmongocrypt/bindings/node/lib/providers/azure.js +0 -178
- data/ext/libmongocrypt/libmongocrypt/bindings/node/lib/providers/gcp.js +0 -24
- data/ext/libmongocrypt/libmongocrypt/bindings/node/lib/providers/index.js +0 -54
- data/ext/libmongocrypt/libmongocrypt/bindings/node/lib/providers/utils.js +0 -39
- data/ext/libmongocrypt/libmongocrypt/bindings/node/lib/stateMachine.js +0 -492
- data/ext/libmongocrypt/libmongocrypt/bindings/node/package-lock.json +0 -15302
- data/ext/libmongocrypt/libmongocrypt/bindings/node/package.json +0 -100
- data/ext/libmongocrypt/libmongocrypt/bindings/node/src/mongocrypt.cc +0 -956
- data/ext/libmongocrypt/libmongocrypt/bindings/node/src/mongocrypt.h +0 -114
- data/ext/libmongocrypt/libmongocrypt/bindings/node/test/autoEncrypter.test.js +0 -950
- data/ext/libmongocrypt/libmongocrypt/bindings/node/test/buffer_pool.test.js +0 -91
- data/ext/libmongocrypt/libmongocrypt/bindings/node/test/clientEncryption.test.js +0 -1093
- data/ext/libmongocrypt/libmongocrypt/bindings/node/test/common.test.js +0 -94
- data/ext/libmongocrypt/libmongocrypt/bindings/node/test/cryptoCallbacks.test.js +0 -240
- data/ext/libmongocrypt/libmongocrypt/bindings/node/test/data/README.md +0 -5
- data/ext/libmongocrypt/libmongocrypt/bindings/node/test/data/cmd.json +0 -6
- data/ext/libmongocrypt/libmongocrypt/bindings/node/test/data/collection-info.json +0 -37
- data/ext/libmongocrypt/libmongocrypt/bindings/node/test/data/encrypted-document-nested.json +0 -8
- data/ext/libmongocrypt/libmongocrypt/bindings/node/test/data/encrypted-document.json +0 -11
- data/ext/libmongocrypt/libmongocrypt/bindings/node/test/data/encryptedFields.json +0 -30
- data/ext/libmongocrypt/libmongocrypt/bindings/node/test/data/key-document.json +0 -32
- data/ext/libmongocrypt/libmongocrypt/bindings/node/test/data/key1-document.json +0 -30
- data/ext/libmongocrypt/libmongocrypt/bindings/node/test/data/mongocryptd-reply.json +0 -18
- data/ext/libmongocrypt/libmongocrypt/bindings/node/test/index.test.js +0 -45
- data/ext/libmongocrypt/libmongocrypt/bindings/node/test/mongocryptdManager.test.js +0 -48
- data/ext/libmongocrypt/libmongocrypt/bindings/node/test/providers/credentialsProvider.test.js +0 -551
- data/ext/libmongocrypt/libmongocrypt/bindings/node/test/release.test.js +0 -66
- data/ext/libmongocrypt/libmongocrypt/bindings/node/test/requirements.helper.js +0 -51
- data/ext/libmongocrypt/libmongocrypt/bindings/node/test/stateMachine.test.js +0 -331
- data/ext/libmongocrypt/libmongocrypt/bindings/node/test/tools/chai-addons.js +0 -8
- data/ext/libmongocrypt/libmongocrypt/bindings/node/test/tools/mongodb_reporter.js +0 -325
- data/ext/libmongocrypt/libmongocrypt/bindings/node/test/types/index.test-d.ts +0 -63
- data/ext/libmongocrypt/libmongocrypt/bindings/python/setup.py +0 -89
- data/ext/libmongocrypt/libmongocrypt/debian/build_snapshot.sh +0 -79
- data/ext/libmongocrypt/libmongocrypt/debian/changelog +0 -105
- data/ext/libmongocrypt/libmongocrypt/debian/compat +0 -1
- data/ext/libmongocrypt/libmongocrypt/debian/control +0 -41
- data/ext/libmongocrypt/libmongocrypt/debian/copyright +0 -129
- data/ext/libmongocrypt/libmongocrypt/debian/gbp.conf +0 -23
- data/ext/libmongocrypt/libmongocrypt/debian/libmongocrypt-dev.dirs +0 -2
- data/ext/libmongocrypt/libmongocrypt/debian/libmongocrypt-dev.install +0 -5
- data/ext/libmongocrypt/libmongocrypt/debian/libmongocrypt0.dirs +0 -1
- data/ext/libmongocrypt/libmongocrypt/debian/libmongocrypt0.install +0 -1
- data/ext/libmongocrypt/libmongocrypt/debian/rules +0 -46
- data/ext/libmongocrypt/libmongocrypt/debian/source/format +0 -1
- data/ext/libmongocrypt/libmongocrypt/debian/source/lintian-overrides +0 -3
- data/ext/libmongocrypt/libmongocrypt/debian/source/options +0 -1
- data/ext/libmongocrypt/libmongocrypt/debian/watch +0 -3
- data/ext/libmongocrypt/libmongocrypt/test/data/compact/success/mongocryptd-reply.json +0 -72
- data.tar.gz.sig +0 -1
- metadata.gz.sig +0 -0
- /data/ext/libmongocrypt/libmongocrypt/{bindings/node/test/data/kms-decrypt-reply.txt → test/data/kms-aws/decrypt-response.txt} +0 -0
- /data/ext/libmongocrypt/libmongocrypt/{bindings/node/test/data/kms-encrypt-reply.txt → test/data/kms-aws/encrypt-response.txt} +0 -0
- /data/ext/libmongocrypt/libmongocrypt/test/data/{gcp-auth → kms-gcp}/decrypt-response.txt +0 -0
- /data/ext/libmongocrypt/libmongocrypt/test/data/{gcp-auth → kms-gcp}/encrypt-response.txt +0 -0
- /data/ext/libmongocrypt/libmongocrypt/test/data/{gcp-auth → kms-gcp}/oauth-response.txt +0 -0
@@ -1,1093 +0,0 @@
|
|
1
|
-
'use strict';
|
2
|
-
const fs = require('fs');
|
3
|
-
const { expect } = require('chai');
|
4
|
-
const sinon = require('sinon');
|
5
|
-
const mongodb = require('mongodb');
|
6
|
-
const BSON = mongodb.BSON;
|
7
|
-
const MongoClient = mongodb.MongoClient;
|
8
|
-
const cryptoCallbacks = require('../lib/cryptoCallbacks');
|
9
|
-
const stateMachine = require('../lib/stateMachine')({ mongodb });
|
10
|
-
const StateMachine = stateMachine.StateMachine;
|
11
|
-
const { Binary, EJSON, deserialize } = BSON;
|
12
|
-
const {
|
13
|
-
MongoCryptCreateEncryptedCollectionError,
|
14
|
-
MongoCryptCreateDataKeyError
|
15
|
-
} = require('../lib/errors');
|
16
|
-
|
17
|
-
function readHttpResponse(path) {
|
18
|
-
let data = fs.readFileSync(path, 'utf8').toString();
|
19
|
-
data = data.split('\n').join('\r\n');
|
20
|
-
return Buffer.from(data, 'utf8');
|
21
|
-
}
|
22
|
-
|
23
|
-
const ClientEncryption = require('../lib/clientEncryption')({
|
24
|
-
mongodb,
|
25
|
-
stateMachine
|
26
|
-
}).ClientEncryption;
|
27
|
-
|
28
|
-
class MockClient {
|
29
|
-
constructor() {
|
30
|
-
this.topology = {
|
31
|
-
bson: BSON
|
32
|
-
};
|
33
|
-
}
|
34
|
-
db(dbName) {
|
35
|
-
return {
|
36
|
-
async createCollection(name, options) {
|
37
|
-
return { namespace: `${dbName}.${name}`, options };
|
38
|
-
}
|
39
|
-
};
|
40
|
-
}
|
41
|
-
}
|
42
|
-
|
43
|
-
const requirements = require('./requirements.helper');
|
44
|
-
|
45
|
-
describe('ClientEncryption', function () {
|
46
|
-
this.timeout(12000);
|
47
|
-
/** @type {MongoClient} */
|
48
|
-
let client;
|
49
|
-
|
50
|
-
function throwIfNotNsNotFoundError(err) {
|
51
|
-
if (!err.message.match(/ns not found/)) {
|
52
|
-
throw err;
|
53
|
-
}
|
54
|
-
}
|
55
|
-
|
56
|
-
async function setup() {
|
57
|
-
client = new MongoClient(process.env.MONGODB_URI || 'mongodb://localhost:27017/test');
|
58
|
-
await client.connect();
|
59
|
-
try {
|
60
|
-
await client.db('client').collection('encryption').drop();
|
61
|
-
} catch (err) {
|
62
|
-
throwIfNotNsNotFoundError(err);
|
63
|
-
}
|
64
|
-
}
|
65
|
-
|
66
|
-
function teardown() {
|
67
|
-
if (requirements.SKIP_LIVE_TESTS) {
|
68
|
-
return Promise.resolve();
|
69
|
-
}
|
70
|
-
|
71
|
-
return client.close();
|
72
|
-
}
|
73
|
-
|
74
|
-
describe('#constructor', function () {
|
75
|
-
context('when mongodb exports BSON (driver >= 4.9.0)', function () {
|
76
|
-
context('when a bson option is provided', function () {
|
77
|
-
const bson = Object.assign({}, BSON);
|
78
|
-
const encrypter = new ClientEncryption(
|
79
|
-
{},
|
80
|
-
{
|
81
|
-
bson: bson,
|
82
|
-
keyVaultNamespace: 'client.encryption',
|
83
|
-
kmsProviders: {
|
84
|
-
local: { key: Buffer.alloc(96) }
|
85
|
-
}
|
86
|
-
}
|
87
|
-
);
|
88
|
-
|
89
|
-
it('uses the bson option', function () {
|
90
|
-
expect(encrypter._bson).to.equal(bson);
|
91
|
-
});
|
92
|
-
});
|
93
|
-
|
94
|
-
context('when a bson option is not provided', function () {
|
95
|
-
const encrypter = new ClientEncryption(
|
96
|
-
{},
|
97
|
-
{
|
98
|
-
keyVaultNamespace: 'client.encryption',
|
99
|
-
kmsProviders: {
|
100
|
-
local: { key: Buffer.alloc(96) }
|
101
|
-
}
|
102
|
-
}
|
103
|
-
);
|
104
|
-
|
105
|
-
it('uses the mongodb exported BSON', function () {
|
106
|
-
expect(encrypter._bson).to.equal(BSON);
|
107
|
-
});
|
108
|
-
});
|
109
|
-
|
110
|
-
it('never uses bson from the topology', function () {
|
111
|
-
expect(() => {
|
112
|
-
new ClientEncryption(
|
113
|
-
{},
|
114
|
-
{
|
115
|
-
keyVaultNamespace: 'client.encryption',
|
116
|
-
kmsProviders: {
|
117
|
-
local: { key: Buffer.alloc(96) }
|
118
|
-
}
|
119
|
-
}
|
120
|
-
);
|
121
|
-
}).not.to.throw();
|
122
|
-
});
|
123
|
-
});
|
124
|
-
|
125
|
-
context('when mongodb does not export BSON (driver < 4.9.0)', function () {
|
126
|
-
context('when a bson option is provided', function () {
|
127
|
-
const bson = Object.assign({}, BSON);
|
128
|
-
const encrypter = new ClientEncryption(
|
129
|
-
{},
|
130
|
-
{
|
131
|
-
bson: bson,
|
132
|
-
keyVaultNamespace: 'client.encryption',
|
133
|
-
kmsProviders: {
|
134
|
-
local: { key: Buffer.alloc(96) }
|
135
|
-
}
|
136
|
-
}
|
137
|
-
);
|
138
|
-
|
139
|
-
it('uses the bson option', function () {
|
140
|
-
expect(encrypter._bson).to.equal(bson);
|
141
|
-
});
|
142
|
-
});
|
143
|
-
|
144
|
-
context('when a bson option is not provided', function () {
|
145
|
-
const mongoNoBson = { ...mongodb, BSON: undefined };
|
146
|
-
const ClientEncryptionNoBson = require('../lib/clientEncryption')({
|
147
|
-
mongodb: mongoNoBson,
|
148
|
-
stateMachine
|
149
|
-
}).ClientEncryption;
|
150
|
-
|
151
|
-
context('when the client has a topology', function () {
|
152
|
-
const client = new MockClient();
|
153
|
-
const encrypter = new ClientEncryptionNoBson(client, {
|
154
|
-
keyVaultNamespace: 'client.encryption',
|
155
|
-
kmsProviders: {
|
156
|
-
local: { key: Buffer.alloc(96) }
|
157
|
-
}
|
158
|
-
});
|
159
|
-
|
160
|
-
it('uses the bson on the topology', function () {
|
161
|
-
expect(encrypter._bson).to.equal(client.topology.bson);
|
162
|
-
});
|
163
|
-
});
|
164
|
-
|
165
|
-
context('when the client does not have a topology', function () {
|
166
|
-
it('raises an error', function () {
|
167
|
-
expect(() => {
|
168
|
-
new ClientEncryptionNoBson({}, {});
|
169
|
-
}).to.throw(/bson/);
|
170
|
-
});
|
171
|
-
});
|
172
|
-
});
|
173
|
-
});
|
174
|
-
});
|
175
|
-
|
176
|
-
describe('stubbed stateMachine', function () {
|
177
|
-
let sandbox = sinon.createSandbox();
|
178
|
-
|
179
|
-
after(() => sandbox.restore());
|
180
|
-
before(() => {
|
181
|
-
// stubbed out for AWS unit testing below
|
182
|
-
const MOCK_KMS_ENCRYPT_REPLY = readHttpResponse(`${__dirname}/data/kms-encrypt-reply.txt`);
|
183
|
-
sandbox.stub(StateMachine.prototype, 'kmsRequest').callsFake(request => {
|
184
|
-
request.addResponse(MOCK_KMS_ENCRYPT_REPLY);
|
185
|
-
return Promise.resolve();
|
186
|
-
});
|
187
|
-
});
|
188
|
-
|
189
|
-
beforeEach(function () {
|
190
|
-
if (requirements.SKIP_LIVE_TESTS) {
|
191
|
-
this.currentTest.skipReason = `requirements.SKIP_LIVE_TESTS=${requirements.SKIP_LIVE_TESTS}`;
|
192
|
-
this.test.skip();
|
193
|
-
return;
|
194
|
-
}
|
195
|
-
|
196
|
-
return setup();
|
197
|
-
});
|
198
|
-
|
199
|
-
afterEach(function () {
|
200
|
-
return teardown();
|
201
|
-
});
|
202
|
-
|
203
|
-
[
|
204
|
-
{
|
205
|
-
name: 'local',
|
206
|
-
kmsProviders: { local: { key: Buffer.alloc(96) } }
|
207
|
-
},
|
208
|
-
{
|
209
|
-
name: 'aws',
|
210
|
-
kmsProviders: { aws: { accessKeyId: 'example', secretAccessKey: 'example' } },
|
211
|
-
options: { masterKey: { region: 'region', key: 'cmk' } }
|
212
|
-
}
|
213
|
-
].forEach(providerTest => {
|
214
|
-
it(`should create a data key with the "${providerTest.name}" KMS provider`, async function () {
|
215
|
-
const providerName = providerTest.name;
|
216
|
-
const encryption = new ClientEncryption(client, {
|
217
|
-
keyVaultNamespace: 'client.encryption',
|
218
|
-
kmsProviders: providerTest.kmsProviders
|
219
|
-
});
|
220
|
-
|
221
|
-
const dataKeyOptions = providerTest.options || {};
|
222
|
-
|
223
|
-
const dataKey = await encryption.createDataKey(providerName, dataKeyOptions);
|
224
|
-
expect(dataKey).property('_bsontype', 'Binary');
|
225
|
-
|
226
|
-
const doc = await client.db('client').collection('encryption').findOne({ _id: dataKey });
|
227
|
-
expect(doc).to.have.property('masterKey');
|
228
|
-
expect(doc.masterKey).property('provider', providerName);
|
229
|
-
});
|
230
|
-
|
231
|
-
it(`should create a data key with the "${providerTest.name}" KMS provider (fixed key material)`, async function () {
|
232
|
-
const providerName = providerTest.name;
|
233
|
-
const encryption = new ClientEncryption(client, {
|
234
|
-
keyVaultNamespace: 'client.encryption',
|
235
|
-
kmsProviders: providerTest.kmsProviders
|
236
|
-
});
|
237
|
-
|
238
|
-
const dataKeyOptions = {
|
239
|
-
...providerTest.options,
|
240
|
-
keyMaterial: new BSON.Binary(Buffer.alloc(96))
|
241
|
-
};
|
242
|
-
|
243
|
-
const dataKey = await encryption.createDataKey(providerName, dataKeyOptions);
|
244
|
-
expect(dataKey).property('_bsontype', 'Binary');
|
245
|
-
|
246
|
-
const doc = await client.db('client').collection('encryption').findOne({ _id: dataKey });
|
247
|
-
expect(doc).to.have.property('masterKey');
|
248
|
-
expect(doc.masterKey).property('provider', providerName);
|
249
|
-
});
|
250
|
-
});
|
251
|
-
|
252
|
-
it(`should create a data key with the local KMS provider (fixed key material, fixed key UUID)`, async function () {
|
253
|
-
// 'Custom Key Material Test' prose spec test:
|
254
|
-
const keyVaultColl = client.db('client').collection('encryption');
|
255
|
-
const encryption = new ClientEncryption(client, {
|
256
|
-
keyVaultNamespace: 'client.encryption',
|
257
|
-
kmsProviders: {
|
258
|
-
local: {
|
259
|
-
key: 'A'.repeat(128) // the value here is not actually relevant
|
260
|
-
}
|
261
|
-
}
|
262
|
-
});
|
263
|
-
|
264
|
-
const dataKeyOptions = {
|
265
|
-
keyMaterial: new BSON.Binary(
|
266
|
-
Buffer.from(
|
267
|
-
'xPTAjBRG5JiPm+d3fj6XLi2q5DMXUS/f1f+SMAlhhwkhDRL0kr8r9GDLIGTAGlvC+HVjSIgdL+RKwZCvpXSyxTICWSXTUYsWYPyu3IoHbuBZdmw2faM3WhcRIgbMReU5',
|
268
|
-
'base64'
|
269
|
-
)
|
270
|
-
)
|
271
|
-
};
|
272
|
-
const dataKey = await encryption.createDataKey('local', dataKeyOptions);
|
273
|
-
expect(dataKey._bsontype).to.equal('Binary');
|
274
|
-
|
275
|
-
// Remove and re-insert with a fixed UUID to guarantee consistent output
|
276
|
-
const doc = (
|
277
|
-
await keyVaultColl.findOneAndDelete({ _id: dataKey }, { writeConcern: { w: 'majority' } })
|
278
|
-
).value;
|
279
|
-
doc._id = new BSON.Binary(Buffer.alloc(16), 4);
|
280
|
-
await keyVaultColl.insertOne(doc, { writeConcern: { w: 'majority' } });
|
281
|
-
|
282
|
-
const encrypted = await encryption.encrypt('test', {
|
283
|
-
keyId: doc._id,
|
284
|
-
algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'
|
285
|
-
});
|
286
|
-
expect(encrypted._bsontype).to.equal('Binary');
|
287
|
-
expect(encrypted.toString('base64')).to.equal(
|
288
|
-
'AQAAAAAAAAAAAAAAAAAAAAACz0ZOLuuhEYi807ZXTdhbqhLaS2/t9wLifJnnNYwiw79d75QYIZ6M/aYC1h9nCzCjZ7pGUpAuNnkUhnIXM3PjrA=='
|
289
|
-
);
|
290
|
-
});
|
291
|
-
|
292
|
-
it('should fail to create a data key if keyMaterial is wrong', function (done) {
|
293
|
-
const encryption = new ClientEncryption(client, {
|
294
|
-
keyVaultNamespace: 'client.encryption',
|
295
|
-
kmsProviders: { local: { key: 'A'.repeat(128) } }
|
296
|
-
});
|
297
|
-
|
298
|
-
const dataKeyOptions = {
|
299
|
-
keyMaterial: new BSON.Binary(Buffer.alloc(97))
|
300
|
-
};
|
301
|
-
try {
|
302
|
-
encryption.createDataKey('local', dataKeyOptions);
|
303
|
-
expect.fail('missed exception');
|
304
|
-
} catch (err) {
|
305
|
-
expect(err.message).to.equal('keyMaterial should have length 96, but has length 97');
|
306
|
-
done();
|
307
|
-
}
|
308
|
-
});
|
309
|
-
|
310
|
-
it('should explicitly encrypt and decrypt with the "local" KMS provider', function (done) {
|
311
|
-
const encryption = new ClientEncryption(client, {
|
312
|
-
keyVaultNamespace: 'client.encryption',
|
313
|
-
kmsProviders: { local: { key: Buffer.alloc(96) } }
|
314
|
-
});
|
315
|
-
|
316
|
-
encryption.createDataKey('local', (err, dataKey) => {
|
317
|
-
expect(err).to.not.exist;
|
318
|
-
|
319
|
-
const encryptOptions = {
|
320
|
-
keyId: dataKey,
|
321
|
-
algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'
|
322
|
-
};
|
323
|
-
|
324
|
-
encryption.encrypt('hello', encryptOptions, (err, encrypted) => {
|
325
|
-
expect(err).to.not.exist;
|
326
|
-
expect(encrypted._bsontype).to.equal('Binary');
|
327
|
-
expect(encrypted.sub_type).to.equal(6);
|
328
|
-
|
329
|
-
encryption.decrypt(encrypted, (err, decrypted) => {
|
330
|
-
expect(err).to.not.exist;
|
331
|
-
expect(decrypted).to.equal('hello');
|
332
|
-
done();
|
333
|
-
});
|
334
|
-
});
|
335
|
-
});
|
336
|
-
});
|
337
|
-
|
338
|
-
it('should explicitly encrypt and decrypt with the "local" KMS provider (promise)', function () {
|
339
|
-
const encryption = new ClientEncryption(client, {
|
340
|
-
keyVaultNamespace: 'client.encryption',
|
341
|
-
kmsProviders: { local: { key: Buffer.alloc(96) } }
|
342
|
-
});
|
343
|
-
|
344
|
-
return encryption
|
345
|
-
.createDataKey('local')
|
346
|
-
.then(dataKey => {
|
347
|
-
const encryptOptions = {
|
348
|
-
keyId: dataKey,
|
349
|
-
algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'
|
350
|
-
};
|
351
|
-
|
352
|
-
return encryption.encrypt('hello', encryptOptions);
|
353
|
-
})
|
354
|
-
.then(encrypted => {
|
355
|
-
expect(encrypted._bsontype).to.equal('Binary');
|
356
|
-
expect(encrypted.sub_type).to.equal(6);
|
357
|
-
|
358
|
-
return encryption.decrypt(encrypted);
|
359
|
-
})
|
360
|
-
.then(decrypted => {
|
361
|
-
expect(decrypted).to.equal('hello');
|
362
|
-
});
|
363
|
-
});
|
364
|
-
|
365
|
-
it('should explicitly encrypt and decrypt with a re-wrapped local key', function () {
|
366
|
-
// Create new ClientEncryption instances to make sure
|
367
|
-
// that we are actually using the rewrapped keys and not
|
368
|
-
// something that has been cached.
|
369
|
-
const newClientEncryption = () =>
|
370
|
-
new ClientEncryption(client, {
|
371
|
-
keyVaultNamespace: 'client.encryption',
|
372
|
-
kmsProviders: { local: { key: 'A'.repeat(128) } }
|
373
|
-
});
|
374
|
-
let encrypted;
|
375
|
-
|
376
|
-
return newClientEncryption()
|
377
|
-
.createDataKey('local')
|
378
|
-
.then(dataKey => {
|
379
|
-
const encryptOptions = {
|
380
|
-
keyId: dataKey,
|
381
|
-
algorithm: 'Indexed',
|
382
|
-
contentionFactor: 0
|
383
|
-
};
|
384
|
-
|
385
|
-
return newClientEncryption().encrypt('hello', encryptOptions);
|
386
|
-
})
|
387
|
-
.then(_encrypted => {
|
388
|
-
encrypted = _encrypted;
|
389
|
-
expect(encrypted._bsontype).to.equal('Binary');
|
390
|
-
expect(encrypted.sub_type).to.equal(6);
|
391
|
-
})
|
392
|
-
.then(() => {
|
393
|
-
return newClientEncryption().rewrapManyDataKey({});
|
394
|
-
})
|
395
|
-
.then(rewrapManyDataKeyResult => {
|
396
|
-
expect(rewrapManyDataKeyResult.bulkWriteResult.result.nModified).to.equal(1);
|
397
|
-
return newClientEncryption().decrypt(encrypted);
|
398
|
-
})
|
399
|
-
.then(decrypted => {
|
400
|
-
expect(decrypted).to.equal('hello');
|
401
|
-
});
|
402
|
-
});
|
403
|
-
|
404
|
-
it('should not perform updates if no keys match', function () {
|
405
|
-
const clientEncryption = new ClientEncryption(client, {
|
406
|
-
keyVaultNamespace: 'client.encryption',
|
407
|
-
kmsProviders: { local: { key: 'A'.repeat(128) } }
|
408
|
-
});
|
409
|
-
|
410
|
-
return clientEncryption.rewrapManyDataKey({ _id: 12345 }).then(rewrapManyDataKeyResult => {
|
411
|
-
expect(rewrapManyDataKeyResult.bulkWriteResult).to.equal(undefined);
|
412
|
-
});
|
413
|
-
});
|
414
|
-
|
415
|
-
it.skip('should explicitly encrypt and decrypt with a re-wrapped local key (explicit session/transaction)', function () {
|
416
|
-
const encryption = new ClientEncryption(client, {
|
417
|
-
keyVaultNamespace: 'client.encryption',
|
418
|
-
kmsProviders: { local: { key: 'A'.repeat(128) } }
|
419
|
-
});
|
420
|
-
let encrypted;
|
421
|
-
let rewrapManyDataKeyResult;
|
422
|
-
|
423
|
-
return encryption
|
424
|
-
.createDataKey('local')
|
425
|
-
.then(dataKey => {
|
426
|
-
const encryptOptions = {
|
427
|
-
keyId: dataKey,
|
428
|
-
algorithm: 'Indexed',
|
429
|
-
contentionFactor: 0
|
430
|
-
};
|
431
|
-
|
432
|
-
return encryption.encrypt('hello', encryptOptions);
|
433
|
-
})
|
434
|
-
.then(_encrypted => {
|
435
|
-
encrypted = _encrypted;
|
436
|
-
})
|
437
|
-
.then(() => {
|
438
|
-
// withSession does not forward the callback's return value, hence
|
439
|
-
// the slightly awkward 'rewrapManyDataKeyResult' passing here
|
440
|
-
return client.withSession(session => {
|
441
|
-
return session.withTransaction(() => {
|
442
|
-
expect(session.transaction.isStarting).to.equal(true);
|
443
|
-
expect(session.transaction.isActive).to.equal(true);
|
444
|
-
rewrapManyDataKeyResult = encryption.rewrapManyDataKey(
|
445
|
-
{},
|
446
|
-
{ provider: 'local', session }
|
447
|
-
);
|
448
|
-
return rewrapManyDataKeyResult.then(() => {
|
449
|
-
// Verify that the 'session' argument was actually used
|
450
|
-
expect(session.transaction.isStarting).to.equal(false);
|
451
|
-
expect(session.transaction.isActive).to.equal(true);
|
452
|
-
});
|
453
|
-
});
|
454
|
-
});
|
455
|
-
})
|
456
|
-
.then(() => {
|
457
|
-
return rewrapManyDataKeyResult;
|
458
|
-
})
|
459
|
-
.then(rewrapManyDataKeyResult => {
|
460
|
-
expect(rewrapManyDataKeyResult.bulkWriteResult.result.nModified).to.equal(1);
|
461
|
-
return encryption.decrypt(encrypted);
|
462
|
-
})
|
463
|
-
.then(decrypted => {
|
464
|
-
expect(decrypted).to.equal('hello');
|
465
|
-
});
|
466
|
-
}).skipReason = 'TODO(DRIVERS-2389): add explicit session support to key management API';
|
467
|
-
|
468
|
-
// TODO(NODE-3371): resolve KMS JSON response does not include string 'Plaintext'. HTTP status=200 error
|
469
|
-
it.skip('should explicitly encrypt and decrypt with the "aws" KMS provider', function (done) {
|
470
|
-
const encryption = new ClientEncryption(client, {
|
471
|
-
keyVaultNamespace: 'client.encryption',
|
472
|
-
kmsProviders: { aws: { accessKeyId: 'example', secretAccessKey: 'example' } }
|
473
|
-
});
|
474
|
-
|
475
|
-
const dataKeyOptions = {
|
476
|
-
masterKey: { region: 'region', key: 'cmk' }
|
477
|
-
};
|
478
|
-
|
479
|
-
encryption.createDataKey('aws', dataKeyOptions, (err, dataKey) => {
|
480
|
-
expect(err).to.not.exist;
|
481
|
-
|
482
|
-
const encryptOptions = {
|
483
|
-
keyId: dataKey,
|
484
|
-
algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'
|
485
|
-
};
|
486
|
-
|
487
|
-
encryption.encrypt('hello', encryptOptions, (err, encrypted) => {
|
488
|
-
expect(err).to.not.exist;
|
489
|
-
expect(encrypted).to.have.property('v');
|
490
|
-
expect(encrypted.v._bsontype).to.equal('Binary');
|
491
|
-
expect(encrypted.v.sub_type).to.equal(6);
|
492
|
-
|
493
|
-
encryption.decrypt(encrypted, (err, decrypted) => {
|
494
|
-
expect(err).to.not.exist;
|
495
|
-
expect(decrypted).to.equal('hello');
|
496
|
-
done();
|
497
|
-
});
|
498
|
-
});
|
499
|
-
});
|
500
|
-
}).skipReason =
|
501
|
-
"TODO(NODE-3371): resolve KMS JSON response does not include string 'Plaintext'. HTTP status=200 error";
|
502
|
-
});
|
503
|
-
|
504
|
-
describe('ClientEncryptionKeyAltNames', function () {
|
505
|
-
const kmsProviders = requirements.awsKmsProviders;
|
506
|
-
const dataKeyOptions = requirements.awsDataKeyOptions;
|
507
|
-
beforeEach(function () {
|
508
|
-
if (requirements.SKIP_AWS_TESTS) {
|
509
|
-
this.currentTest.skipReason = `requirements.SKIP_AWS_TESTS=${requirements.SKIP_AWS_TESTS}`;
|
510
|
-
this.currentTest.skip();
|
511
|
-
return;
|
512
|
-
}
|
513
|
-
|
514
|
-
return setup().then(() => {
|
515
|
-
this.client = client;
|
516
|
-
this.collection = client.db('client').collection('encryption');
|
517
|
-
this.encryption = new ClientEncryption(this.client, {
|
518
|
-
keyVaultNamespace: 'client.encryption',
|
519
|
-
kmsProviders
|
520
|
-
});
|
521
|
-
});
|
522
|
-
});
|
523
|
-
|
524
|
-
afterEach(function () {
|
525
|
-
return teardown().then(() => {
|
526
|
-
this.encryption = undefined;
|
527
|
-
this.collection = undefined;
|
528
|
-
this.client = undefined;
|
529
|
-
});
|
530
|
-
});
|
531
|
-
|
532
|
-
function makeOptions(keyAltNames) {
|
533
|
-
expect(dataKeyOptions.masterKey).to.be.an('object');
|
534
|
-
expect(dataKeyOptions.masterKey.key).to.be.a('string');
|
535
|
-
expect(dataKeyOptions.masterKey.region).to.be.a('string');
|
536
|
-
|
537
|
-
return {
|
538
|
-
masterKey: {
|
539
|
-
key: dataKeyOptions.masterKey.key,
|
540
|
-
region: dataKeyOptions.masterKey.region
|
541
|
-
},
|
542
|
-
keyAltNames
|
543
|
-
};
|
544
|
-
}
|
545
|
-
|
546
|
-
describe('errors', function () {
|
547
|
-
[42, 'hello', { keyAltNames: 'foobar' }, /foobar/].forEach(val => {
|
548
|
-
it(`should fail if typeof keyAltNames = ${typeof val}`, function () {
|
549
|
-
const options = makeOptions(val);
|
550
|
-
expect(() => this.encryption.createDataKey('aws', options, () => undefined)).to.throw(
|
551
|
-
TypeError
|
552
|
-
);
|
553
|
-
});
|
554
|
-
});
|
555
|
-
|
556
|
-
[undefined, null, 42, { keyAltNames: 'foobar' }, ['foobar'], /foobar/].forEach(val => {
|
557
|
-
it(`should fail if typeof keyAltNames[x] = ${typeof val}`, function () {
|
558
|
-
const options = makeOptions([val]);
|
559
|
-
expect(() => this.encryption.createDataKey('aws', options, () => undefined)).to.throw(
|
560
|
-
TypeError
|
561
|
-
);
|
562
|
-
});
|
563
|
-
});
|
564
|
-
});
|
565
|
-
|
566
|
-
it('should create a key with keyAltNames', function () {
|
567
|
-
let dataKey;
|
568
|
-
const options = makeOptions(['foobar']);
|
569
|
-
return this.encryption
|
570
|
-
.createDataKey('aws', options)
|
571
|
-
.then(_dataKey => (dataKey = _dataKey))
|
572
|
-
.then(() => this.collection.findOne({ keyAltNames: 'foobar' }))
|
573
|
-
.then(document => {
|
574
|
-
expect(document).to.be.an('object');
|
575
|
-
expect(document).to.have.property('keyAltNames').that.includes.members(['foobar']);
|
576
|
-
expect(document).to.have.property('_id').that.deep.equals(dataKey);
|
577
|
-
});
|
578
|
-
});
|
579
|
-
|
580
|
-
it('should create a key with multiple keyAltNames', function () {
|
581
|
-
let dataKey;
|
582
|
-
return this.encryption
|
583
|
-
.createDataKey('aws', makeOptions(['foobar', 'fizzbuzz']))
|
584
|
-
.then(_dataKey => (dataKey = _dataKey))
|
585
|
-
.then(() =>
|
586
|
-
Promise.all([
|
587
|
-
this.collection.findOne({ keyAltNames: 'foobar' }),
|
588
|
-
this.collection.findOne({ keyAltNames: 'fizzbuzz' })
|
589
|
-
])
|
590
|
-
)
|
591
|
-
.then(docs => {
|
592
|
-
expect(docs).to.have.lengthOf(2);
|
593
|
-
const doc1 = docs[0];
|
594
|
-
const doc2 = docs[1];
|
595
|
-
expect(doc1).to.be.an('object');
|
596
|
-
expect(doc2).to.be.an('object');
|
597
|
-
expect(doc1)
|
598
|
-
.to.have.property('keyAltNames')
|
599
|
-
.that.includes.members(['foobar', 'fizzbuzz']);
|
600
|
-
expect(doc1).to.have.property('_id').that.deep.equals(dataKey);
|
601
|
-
expect(doc2)
|
602
|
-
.to.have.property('keyAltNames')
|
603
|
-
.that.includes.members(['foobar', 'fizzbuzz']);
|
604
|
-
expect(doc2).to.have.property('_id').that.deep.equals(dataKey);
|
605
|
-
});
|
606
|
-
});
|
607
|
-
|
608
|
-
it('should be able to reference a key with `keyAltName` during encryption', function () {
|
609
|
-
let keyId;
|
610
|
-
const keyAltName = 'mySpecialKey';
|
611
|
-
const algorithm = 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic';
|
612
|
-
|
613
|
-
const valueToEncrypt = 'foobar';
|
614
|
-
|
615
|
-
return this.encryption
|
616
|
-
.createDataKey('aws', makeOptions([keyAltName]))
|
617
|
-
.then(_dataKey => (keyId = _dataKey))
|
618
|
-
.then(() => this.encryption.encrypt(valueToEncrypt, { keyId, algorithm }))
|
619
|
-
.then(encryptedValue => {
|
620
|
-
return this.encryption
|
621
|
-
.encrypt(valueToEncrypt, { keyAltName, algorithm })
|
622
|
-
.then(encryptedValue2 => {
|
623
|
-
expect(encryptedValue).to.deep.equal(encryptedValue2);
|
624
|
-
});
|
625
|
-
});
|
626
|
-
});
|
627
|
-
});
|
628
|
-
|
629
|
-
context('with stubbed key material and fixed random source', function () {
|
630
|
-
let sandbox = sinon.createSandbox();
|
631
|
-
|
632
|
-
afterEach(() => {
|
633
|
-
sandbox.restore();
|
634
|
-
});
|
635
|
-
beforeEach(() => {
|
636
|
-
const rndData = Buffer.from(
|
637
|
-
'\x4d\x06\x95\x64\xf5\xa0\x5e\x9e\x35\x23\xb9\x8f\x57\x5a\xcb\x15',
|
638
|
-
'latin1'
|
639
|
-
);
|
640
|
-
let rndPos = 0;
|
641
|
-
sandbox.stub(cryptoCallbacks, 'randomHook').callsFake((buffer, count) => {
|
642
|
-
if (rndPos + count > rndData) {
|
643
|
-
return new Error('Out of fake random data');
|
644
|
-
}
|
645
|
-
buffer.set(rndData.subarray(rndPos, rndPos + count));
|
646
|
-
rndPos += count;
|
647
|
-
return count;
|
648
|
-
});
|
649
|
-
|
650
|
-
// stubbed out for AWS unit testing below
|
651
|
-
sandbox.stub(StateMachine.prototype, 'fetchKeys').callsFake((client, ns, filter, cb) => {
|
652
|
-
filter = deserialize(filter);
|
653
|
-
const keyIds = filter.$or[0]._id.$in.map(key => key.toString('hex'));
|
654
|
-
const fileNames = keyIds.map(
|
655
|
-
keyId => `${__dirname}/../../../test/data/keys/${keyId.toUpperCase()}-local-document.json`
|
656
|
-
);
|
657
|
-
const contents = fileNames.map(filename => EJSON.parse(fs.readFileSync(filename)));
|
658
|
-
cb(null, contents);
|
659
|
-
});
|
660
|
-
});
|
661
|
-
|
662
|
-
// This exactly matches _test_encrypt_fle2_explicit from the C tests
|
663
|
-
it('should explicitly encrypt and decrypt with the "local" KMS provider (FLE2, exact result)', function () {
|
664
|
-
const encryption = new ClientEncryption(new MockClient(), {
|
665
|
-
keyVaultNamespace: 'client.encryption',
|
666
|
-
kmsProviders: { local: { key: Buffer.alloc(96) } }
|
667
|
-
});
|
668
|
-
|
669
|
-
const encryptOptions = {
|
670
|
-
keyId: new Binary(Buffer.from('ABCDEFAB123498761234123456789012', 'hex'), 4),
|
671
|
-
algorithm: 'Unindexed'
|
672
|
-
};
|
673
|
-
|
674
|
-
return encryption
|
675
|
-
.encrypt('value123', encryptOptions)
|
676
|
-
.then(encrypted => {
|
677
|
-
expect(encrypted._bsontype).to.equal('Binary');
|
678
|
-
expect(encrypted.sub_type).to.equal(6);
|
679
|
-
return encryption.decrypt(encrypted);
|
680
|
-
})
|
681
|
-
.then(decrypted => {
|
682
|
-
expect(decrypted).to.equal('value123');
|
683
|
-
});
|
684
|
-
});
|
685
|
-
});
|
686
|
-
|
687
|
-
describe('encrypt()', function () {
|
688
|
-
let clientEncryption;
|
689
|
-
let completeOptions;
|
690
|
-
let dataKey;
|
691
|
-
|
692
|
-
beforeEach(async function () {
|
693
|
-
if (requirements.SKIP_LIVE_TESTS) {
|
694
|
-
this.currentTest.skipReason = `requirements.SKIP_LIVE_TESTS=${requirements.SKIP_LIVE_TESTS}`;
|
695
|
-
this.test.skip();
|
696
|
-
return;
|
697
|
-
}
|
698
|
-
|
699
|
-
await setup();
|
700
|
-
clientEncryption = new ClientEncryption(client, {
|
701
|
-
keyVaultNamespace: 'client.encryption',
|
702
|
-
kmsProviders: { local: { key: Buffer.alloc(96) } }
|
703
|
-
});
|
704
|
-
|
705
|
-
dataKey = await clientEncryption.createDataKey('local', {
|
706
|
-
name: 'local',
|
707
|
-
kmsProviders: { local: { key: Buffer.alloc(96) } }
|
708
|
-
});
|
709
|
-
|
710
|
-
completeOptions = {
|
711
|
-
algorithm: 'RangePreview',
|
712
|
-
contentionFactor: 0,
|
713
|
-
rangeOptions: {
|
714
|
-
min: new BSON.Long(0),
|
715
|
-
max: new BSON.Long(10),
|
716
|
-
sparsity: new BSON.Long(1)
|
717
|
-
},
|
718
|
-
keyId: dataKey
|
719
|
-
};
|
720
|
-
});
|
721
|
-
|
722
|
-
afterEach(() => teardown());
|
723
|
-
|
724
|
-
context('when expressionMode is incorrectly provided as an argument', function () {
|
725
|
-
it('overrides the provided option with the correct value for expression mode', async function () {
|
726
|
-
const optionsWithExpressionMode = { ...completeOptions, expressionMode: true };
|
727
|
-
const result = await clientEncryption.encrypt(
|
728
|
-
new mongodb.Long(0),
|
729
|
-
optionsWithExpressionMode
|
730
|
-
);
|
731
|
-
|
732
|
-
expect(result).to.be.instanceof(Binary);
|
733
|
-
});
|
734
|
-
});
|
735
|
-
});
|
736
|
-
|
737
|
-
describe('encryptExpression()', function () {
|
738
|
-
let clientEncryption;
|
739
|
-
let completeOptions;
|
740
|
-
let dataKey;
|
741
|
-
const expression = {
|
742
|
-
$and: [{ someField: { $gt: 1 } }]
|
743
|
-
};
|
744
|
-
|
745
|
-
beforeEach(async function () {
|
746
|
-
if (requirements.SKIP_LIVE_TESTS) {
|
747
|
-
this.currentTest.skipReason = `requirements.SKIP_LIVE_TESTS=${requirements.SKIP_LIVE_TESTS}`;
|
748
|
-
this.test.skip();
|
749
|
-
return;
|
750
|
-
}
|
751
|
-
|
752
|
-
await setup();
|
753
|
-
clientEncryption = new ClientEncryption(client, {
|
754
|
-
keyVaultNamespace: 'client.encryption',
|
755
|
-
kmsProviders: { local: { key: Buffer.alloc(96) } }
|
756
|
-
});
|
757
|
-
|
758
|
-
dataKey = await clientEncryption.createDataKey('local', {
|
759
|
-
name: 'local',
|
760
|
-
kmsProviders: { local: { key: Buffer.alloc(96) } }
|
761
|
-
});
|
762
|
-
|
763
|
-
completeOptions = {
|
764
|
-
algorithm: 'RangePreview',
|
765
|
-
queryType: 'rangePreview',
|
766
|
-
contentionFactor: 0,
|
767
|
-
rangeOptions: {
|
768
|
-
min: new BSON.Int32(0),
|
769
|
-
max: new BSON.Int32(10),
|
770
|
-
sparsity: new BSON.Long(1)
|
771
|
-
},
|
772
|
-
keyId: dataKey
|
773
|
-
};
|
774
|
-
});
|
775
|
-
|
776
|
-
afterEach(() => teardown());
|
777
|
-
|
778
|
-
it('throws if rangeOptions is not provided', async function () {
|
779
|
-
expect(delete completeOptions.rangeOptions).to.be.true;
|
780
|
-
const errorOrResult = await clientEncryption
|
781
|
-
.encryptExpression(expression, completeOptions)
|
782
|
-
.catch(e => e);
|
783
|
-
|
784
|
-
expect(errorOrResult).to.be.instanceof(TypeError);
|
785
|
-
});
|
786
|
-
|
787
|
-
it('throws if algorithm is not provided', async function () {
|
788
|
-
expect(delete completeOptions.algorithm).to.be.true;
|
789
|
-
const errorOrResult = await clientEncryption
|
790
|
-
.encryptExpression(expression, completeOptions)
|
791
|
-
.catch(e => e);
|
792
|
-
|
793
|
-
expect(errorOrResult).to.be.instanceof(TypeError);
|
794
|
-
});
|
795
|
-
|
796
|
-
it(`throws if algorithm does not equal 'rangePreview'`, async function () {
|
797
|
-
completeOptions['algorithm'] = 'equality';
|
798
|
-
const errorOrResult = await clientEncryption
|
799
|
-
.encryptExpression(expression, completeOptions)
|
800
|
-
.catch(e => e);
|
801
|
-
|
802
|
-
expect(errorOrResult).to.be.instanceof(TypeError);
|
803
|
-
});
|
804
|
-
|
805
|
-
it(`does not throw if algorithm has different casing than 'rangePreview'`, async function () {
|
806
|
-
completeOptions['algorithm'] = 'rAnGePrEvIeW';
|
807
|
-
const errorOrResult = await clientEncryption
|
808
|
-
.encryptExpression(expression, completeOptions)
|
809
|
-
.catch(e => e);
|
810
|
-
|
811
|
-
expect(errorOrResult).not.to.be.instanceof(Error);
|
812
|
-
});
|
813
|
-
|
814
|
-
context('when expressionMode is incorrectly provided as an argument', function () {
|
815
|
-
it('overrides the provided option with the correct value for expression mode', async function () {
|
816
|
-
const optionsWithExpressionMode = { ...completeOptions, expressionMode: false };
|
817
|
-
const result = await clientEncryption.encryptExpression(
|
818
|
-
expression,
|
819
|
-
optionsWithExpressionMode
|
820
|
-
);
|
821
|
-
|
822
|
-
expect(result).not.to.be.instanceof(Binary);
|
823
|
-
});
|
824
|
-
});
|
825
|
-
});
|
826
|
-
|
827
|
-
it('should provide the libmongocrypt version', function () {
|
828
|
-
expect(ClientEncryption.libmongocryptVersion).to.be.a('string');
|
829
|
-
});
|
830
|
-
|
831
|
-
describe('createEncryptedCollection()', () => {
|
832
|
-
/** @type {InstanceType<ClientEncryption>} */
|
833
|
-
let clientEncryption;
|
834
|
-
const client = new MockClient();
|
835
|
-
let db;
|
836
|
-
const collectionName = 'secure';
|
837
|
-
|
838
|
-
beforeEach(async function () {
|
839
|
-
clientEncryption = new ClientEncryption(client, {
|
840
|
-
keyVaultNamespace: 'client.encryption',
|
841
|
-
kmsProviders: { local: { key: Buffer.alloc(96, 0) } }
|
842
|
-
});
|
843
|
-
|
844
|
-
db = client.db('createEncryptedCollectionDb');
|
845
|
-
});
|
846
|
-
|
847
|
-
afterEach(async () => {
|
848
|
-
sinon.restore();
|
849
|
-
});
|
850
|
-
|
851
|
-
context('validates input', () => {
|
852
|
-
it('throws TypeError if options are omitted', async () => {
|
853
|
-
const error = await clientEncryption
|
854
|
-
.createEncryptedCollection(db, collectionName)
|
855
|
-
.catch(error => error);
|
856
|
-
expect(error).to.be.instanceOf(TypeError, /provider/);
|
857
|
-
});
|
858
|
-
|
859
|
-
it('throws TypeError if options.createCollectionOptions are omitted', async () => {
|
860
|
-
const error = await clientEncryption
|
861
|
-
.createEncryptedCollection(db, collectionName, {})
|
862
|
-
.catch(error => error);
|
863
|
-
expect(error).to.be.instanceOf(TypeError, /encryptedFields/);
|
864
|
-
});
|
865
|
-
|
866
|
-
it('throws TypeError if options.createCollectionOptions.encryptedFields are omitted', async () => {
|
867
|
-
const error = await clientEncryption
|
868
|
-
.createEncryptedCollection(db, collectionName, { createCollectionOptions: {} })
|
869
|
-
.catch(error => error);
|
870
|
-
expect(error).to.be.instanceOf(TypeError, /Cannot read properties/);
|
871
|
-
});
|
872
|
-
});
|
873
|
-
|
874
|
-
context('when options.encryptedFields.fields is not an array', () => {
|
875
|
-
it('does not generate any encryption keys', async () => {
|
876
|
-
const createCollectionSpy = sinon.spy(db, 'createCollection');
|
877
|
-
const createDataKeySpy = sinon.spy(clientEncryption, 'createDataKey');
|
878
|
-
await clientEncryption.createEncryptedCollection(db, collectionName, {
|
879
|
-
createCollectionOptions: { encryptedFields: { fields: 'not an array' } }
|
880
|
-
});
|
881
|
-
|
882
|
-
expect(createDataKeySpy.callCount).to.equal(0);
|
883
|
-
const options = createCollectionSpy.getCall(0).args[1];
|
884
|
-
expect(options).to.deep.equal({ encryptedFields: { fields: 'not an array' } });
|
885
|
-
});
|
886
|
-
});
|
887
|
-
|
888
|
-
context('when options.encryptedFields.fields elements are not objects', () => {
|
889
|
-
it('they are passed along to createCollection', async () => {
|
890
|
-
const createCollectionSpy = sinon.spy(db, 'createCollection');
|
891
|
-
const keyId = new Binary(Buffer.alloc(16, 0));
|
892
|
-
const createDataKeyStub = sinon.stub(clientEncryption, 'createDataKey').resolves(keyId);
|
893
|
-
await clientEncryption.createEncryptedCollection(db, collectionName, {
|
894
|
-
createCollectionOptions: {
|
895
|
-
encryptedFields: { fields: ['not an array', { keyId: null }, { keyId: {} }] }
|
896
|
-
}
|
897
|
-
});
|
898
|
-
|
899
|
-
expect(createDataKeyStub.callCount).to.equal(1);
|
900
|
-
const options = createCollectionSpy.getCall(0).args[1];
|
901
|
-
expect(options).to.deep.equal({
|
902
|
-
encryptedFields: { fields: ['not an array', { keyId: keyId }, { keyId: {} }] }
|
903
|
-
});
|
904
|
-
});
|
905
|
-
});
|
906
|
-
|
907
|
-
it('only passes options.masterKey to createDataKey', async () => {
|
908
|
-
const masterKey = Symbol('key');
|
909
|
-
const createDataKey = sinon
|
910
|
-
.stub(clientEncryption, 'createDataKey')
|
911
|
-
.resolves(new Binary(Buffer.alloc(16, 0)));
|
912
|
-
const result = await clientEncryption.createEncryptedCollection(db, collectionName, {
|
913
|
-
provider: 'aws',
|
914
|
-
createCollectionOptions: { encryptedFields: { fields: [{}] } },
|
915
|
-
masterKey
|
916
|
-
});
|
917
|
-
expect(result).to.have.property('collection');
|
918
|
-
expect(createDataKey).to.have.been.calledOnceWithExactly('aws', { masterKey });
|
919
|
-
});
|
920
|
-
|
921
|
-
context('when createDataKey rejects', () => {
|
922
|
-
const customErrorEvil = new Error('evil!');
|
923
|
-
const customErrorGood = new Error('good!');
|
924
|
-
const keyId = new Binary(Buffer.alloc(16, 0), 4);
|
925
|
-
const createCollectionOptions = {
|
926
|
-
encryptedFields: { fields: [{}, {}, { keyId: 'cool id!' }, {}] }
|
927
|
-
};
|
928
|
-
const createDataKeyRejection = async () => {
|
929
|
-
const stub = sinon.stub(clientEncryption, 'createDataKey');
|
930
|
-
stub.onCall(0).resolves(keyId);
|
931
|
-
stub.onCall(1).rejects(customErrorEvil);
|
932
|
-
stub.onCall(2).rejects(customErrorGood);
|
933
|
-
stub.onCall(4).resolves(keyId);
|
934
|
-
|
935
|
-
const error = await clientEncryption
|
936
|
-
.createEncryptedCollection(db, collectionName, {
|
937
|
-
provider: 'local',
|
938
|
-
createCollectionOptions
|
939
|
-
})
|
940
|
-
.catch(error => error);
|
941
|
-
|
942
|
-
// At least make sure the function did not succeed
|
943
|
-
expect(error).to.be.instanceOf(Error);
|
944
|
-
|
945
|
-
return error;
|
946
|
-
};
|
947
|
-
|
948
|
-
it('throws MongoCryptCreateDataKeyError', async () => {
|
949
|
-
const error = await createDataKeyRejection();
|
950
|
-
expect(error).to.be.instanceOf(MongoCryptCreateDataKeyError);
|
951
|
-
});
|
952
|
-
|
953
|
-
it('thrown error has a cause set to the first error that was thrown from createDataKey', async () => {
|
954
|
-
const error = await createDataKeyRejection();
|
955
|
-
expect(error.cause).to.equal(customErrorEvil);
|
956
|
-
expect(error.message).to.include(customErrorEvil.message);
|
957
|
-
});
|
958
|
-
|
959
|
-
it('thrown error contains partially filled encryptedFields.fields', async () => {
|
960
|
-
const error = await createDataKeyRejection();
|
961
|
-
expect(error.encryptedFields).property('fields').that.is.an('array');
|
962
|
-
expect(error.encryptedFields.fields).to.have.lengthOf(
|
963
|
-
createCollectionOptions.encryptedFields.fields.length
|
964
|
-
);
|
965
|
-
expect(error.encryptedFields.fields).to.have.nested.property('[0].keyId', keyId);
|
966
|
-
expect(error.encryptedFields.fields).to.not.have.nested.property('[1].keyId');
|
967
|
-
expect(error.encryptedFields.fields).to.have.nested.property('[2].keyId', 'cool id!');
|
968
|
-
});
|
969
|
-
});
|
970
|
-
|
971
|
-
context('when createCollection rejects', () => {
|
972
|
-
const customError = new Error('evil!');
|
973
|
-
const keyId = new Binary(Buffer.alloc(16, 0), 4);
|
974
|
-
const createCollectionRejection = async () => {
|
975
|
-
const stubCreateDataKey = sinon.stub(clientEncryption, 'createDataKey');
|
976
|
-
stubCreateDataKey.onCall(0).resolves(keyId);
|
977
|
-
stubCreateDataKey.onCall(1).resolves(keyId);
|
978
|
-
stubCreateDataKey.onCall(2).resolves(keyId);
|
979
|
-
|
980
|
-
sinon.stub(db, 'createCollection').rejects(customError);
|
981
|
-
|
982
|
-
const createCollectionOptions = {
|
983
|
-
encryptedFields: { fields: [{}, {}, { keyId: 'cool id!' }] }
|
984
|
-
};
|
985
|
-
const error = await clientEncryption
|
986
|
-
.createEncryptedCollection(db, collectionName, {
|
987
|
-
provider: 'local',
|
988
|
-
createCollectionOptions
|
989
|
-
})
|
990
|
-
.catch(error => error);
|
991
|
-
|
992
|
-
// At least make sure the function did not succeed
|
993
|
-
expect(error).to.be.instanceOf(Error);
|
994
|
-
|
995
|
-
return error;
|
996
|
-
};
|
997
|
-
|
998
|
-
it('throws MongoCryptCreateEncryptedCollectionError', async () => {
|
999
|
-
const error = await createCollectionRejection();
|
1000
|
-
expect(error).to.be.instanceOf(MongoCryptCreateEncryptedCollectionError);
|
1001
|
-
});
|
1002
|
-
|
1003
|
-
it('thrown error has a cause set to the error that was thrown from createCollection', async () => {
|
1004
|
-
const error = await createCollectionRejection();
|
1005
|
-
expect(error.cause).to.equal(customError);
|
1006
|
-
expect(error.message).to.include(customError.message);
|
1007
|
-
});
|
1008
|
-
|
1009
|
-
it('thrown error contains filled encryptedFields.fields', async () => {
|
1010
|
-
const error = await createCollectionRejection();
|
1011
|
-
expect(error.encryptedFields).property('fields').that.is.an('array');
|
1012
|
-
expect(error.encryptedFields.fields).to.have.nested.property('[0].keyId', keyId);
|
1013
|
-
expect(error.encryptedFields.fields).to.have.nested.property('[1].keyId', keyId);
|
1014
|
-
expect(error.encryptedFields.fields).to.have.nested.property('[2].keyId', 'cool id!');
|
1015
|
-
});
|
1016
|
-
});
|
1017
|
-
|
1018
|
-
context('when there are nullish keyIds in the encryptedFields.fields array', function () {
|
1019
|
-
it('does not mutate the input fields array when generating data keys', async () => {
|
1020
|
-
const encryptedFields = Object.freeze({
|
1021
|
-
escCollection: 'esc',
|
1022
|
-
eccCollection: 'ecc',
|
1023
|
-
ecocCollection: 'ecoc',
|
1024
|
-
fields: Object.freeze([
|
1025
|
-
Object.freeze({ keyId: false }),
|
1026
|
-
Object.freeze({
|
1027
|
-
keyId: null,
|
1028
|
-
path: 'name',
|
1029
|
-
bsonType: 'int',
|
1030
|
-
queries: Object.freeze({ contentionFactor: 0 })
|
1031
|
-
}),
|
1032
|
-
null
|
1033
|
-
])
|
1034
|
-
});
|
1035
|
-
|
1036
|
-
const keyId = new Binary(Buffer.alloc(16, 0), 4);
|
1037
|
-
sinon.stub(clientEncryption, 'createDataKey').resolves(keyId);
|
1038
|
-
|
1039
|
-
const { collection, encryptedFields: resultEncryptedFields } =
|
1040
|
-
await clientEncryption.createEncryptedCollection(db, collectionName, {
|
1041
|
-
provider: 'local',
|
1042
|
-
createCollectionOptions: {
|
1043
|
-
encryptedFields
|
1044
|
-
}
|
1045
|
-
});
|
1046
|
-
|
1047
|
-
expect(collection).to.have.property('namespace', 'createEncryptedCollectionDb.secure');
|
1048
|
-
expect(encryptedFields, 'original encryptedFields should be unmodified').nested.property(
|
1049
|
-
'fields[0].keyId',
|
1050
|
-
false
|
1051
|
-
);
|
1052
|
-
expect(
|
1053
|
-
resultEncryptedFields,
|
1054
|
-
'encryptedFields created by helper should have replaced nullish keyId'
|
1055
|
-
).nested.property('fields[1].keyId', keyId);
|
1056
|
-
expect(encryptedFields, 'original encryptedFields should be unmodified').nested.property(
|
1057
|
-
'fields[2]',
|
1058
|
-
null
|
1059
|
-
);
|
1060
|
-
});
|
1061
|
-
|
1062
|
-
it('generates dataKeys for all null keyIds in the fields array', async () => {
|
1063
|
-
const encryptedFields = Object.freeze({
|
1064
|
-
escCollection: 'esc',
|
1065
|
-
eccCollection: 'ecc',
|
1066
|
-
ecocCollection: 'ecoc',
|
1067
|
-
fields: Object.freeze([
|
1068
|
-
Object.freeze({ keyId: null }),
|
1069
|
-
Object.freeze({ keyId: null }),
|
1070
|
-
Object.freeze({ keyId: null })
|
1071
|
-
])
|
1072
|
-
});
|
1073
|
-
|
1074
|
-
const keyId = new Binary(Buffer.alloc(16, 0), 4);
|
1075
|
-
sinon.stub(clientEncryption, 'createDataKey').resolves(keyId);
|
1076
|
-
|
1077
|
-
const { collection, encryptedFields: resultEncryptedFields } =
|
1078
|
-
await clientEncryption.createEncryptedCollection(db, collectionName, {
|
1079
|
-
provider: 'local',
|
1080
|
-
createCollectionOptions: {
|
1081
|
-
encryptedFields
|
1082
|
-
}
|
1083
|
-
});
|
1084
|
-
|
1085
|
-
expect(collection).to.have.property('namespace', 'createEncryptedCollectionDb.secure');
|
1086
|
-
expect(resultEncryptedFields.fields).to.have.lengthOf(3);
|
1087
|
-
expect(resultEncryptedFields.fields.filter(({ keyId }) => keyId === null)).to.have.lengthOf(
|
1088
|
-
0
|
1089
|
-
);
|
1090
|
-
});
|
1091
|
-
});
|
1092
|
-
});
|
1093
|
-
});
|